Remote Access
TR-369 USP for Modern MikroTik Mgmt
TR-369 (USP) replaces TR-069 with bidirectional WebSocket/MQTT messaging — and works with MikroTik today via agent bridges and MQTT translators.
Summary TR-369 (also known as USP, the User Services Platform) is the Broadband Forum’s successor to TR-069. Where TR-069 relied on poll-based HTTP/SOAP, USP uses bidirectional persistent channels over WebSocket, MQTT, or CoAP for near-real-time control of routers, ONUs, Wi-Fi APs, IoT devices, and CPEs at scale. RouterOS does not ship a native USP agent yet, but three practical patterns — external agent bridges, MQTT translators, and hybrid TR-069+USP rollouts — let you adopt USP benefits on MikroTik fleets today.
What is TR-369 (USP)?
TR-369 is the Broadband Forum standard built as the successor to TR-069 (CWMP). Where TR-069 used HTTP/SOAP with a poll-based request/response model, USP keeps persistent bidirectional channels open between Controllers (the management plane) and Agents (running on or next to each device) for low-latency exchange of events, commands, and telemetry. Transport options are WebSocket, MQTT, and CoAP — lightweight protocols optimized for tens of thousands of devices per controller. Multiple controllers can manage the same device concurrently, each scoped by permissions.
The practical impact on operations is significant. TR-069’s polling forced trade-offs between freshness and load; USP’s event-driven model lets controllers subscribe to specific object changes and react immediately. The data model (USP Data Model, based on TR-181) represents device capabilities as objects, so a controller can subscribe to WiFi.SignalStrength and receive a push the moment RSSI drops below a threshold, rather than polling every five minutes hoping to catch the dip.
Core architecture
The four building blocks:
- Controller — issues commands, subscribes to events, stores state for managed devices.
- Agent — runs on or beside the device, implements the USP data model, executes controller commands.
- Transport — WebSocket, MQTT, or CoAP for persistent low-latency streams.
- Data Model — USP Data Model based on TR-181, where device parameters are addressable objects.
Together they enable push notifications, event subscriptions, and true real-time management — none of which TR-069’s polling model could deliver cleanly.
Security highlights
USP is designed for hostile networks and operational scale, which shows in its security model:
- TLS 1.3 with mutual certificate authentication between Controller and Agent.
- Per-object and per-command permissioning, so an Agent can refuse to apply commands that fall outside its policy.
- Native audit logging for every command and every subscription change.
- Sandboxing of potentially dangerous operations, reducing the blast radius of a compromised Controller.
These mechanisms address the classes of risk that plagued TR-069 deployments: unwanted remote commands from compromised ACS instances, replay attacks against unauthenticated payloads, and the lack of fine-grained policy boundaries inside a flat permission model.
Integrating MikroTik with TR-369 today
RouterOS does not ship a native USP agent at the time of writing. That doesn’t block adoption — three practical patterns get you USP benefits on MikroTik fleets without waiting for native support.
Pattern 1: External USP agent / protocol bridge
Run an intermediate agent (container or VM) that speaks USP to the Controller upstream and uses the RouterOS API, SSH, or SNMP to manage the MikroTik downstream:
Controller ↔ Agent (USP) ↔ MikroTik (RouterOS API / SNMP)
This is the cleanest path. No RouterOS firmware changes are required, and you get a centralized adapter where mapping and input sanitization live in one place. The trade-off is an extra component to deploy and secure.
Pattern 2: MQTT bridge (MQTT ↔ RouterOS)
Use MQTT as a lightweight message bus. A small bridge subscribes to topics and translates messages into RouterOS commands:
network/mikrotik/<id>/command/rebootnetwork/mikrotik/<id>/telemetry/wifi_rssi
This fits environments that already use MQTT — IoT platforms, cloud event buses, building automation. It is simple, scales horizontally, and gives you natural pub/sub semantics. The trade-off is that careful topic design and access control on the broker become load-bearing.
Pattern 3: Hybrid TR-069 + USP
Run both protocols side by side: TR-069 for legacy CPE that doesn’t have a USP path, USP for newer devices and net-new deployments. A phased migration reduces risk and lets you validate USP under load before fully committing. For background on the TR-069 baseline, see our Intelbras TR-069 management guide and the Intelbras OMCI guide.
Use cases beyond routers
USP isn’t router-only. It manages anything on the access network that exposes a USP agent: ONTs and ONUs, Wi-Fi 6/7 access points, IP cameras, set-top boxes, IoT sensors and actuators. That universality is what makes USP a foundational building block for Network-as-a-Service (NaaS) and automated operations — one Controller can orchestrate the whole subscriber side of a residential or enterprise edge.
TR-369 vs TR-069 at a glance
| Aspect | TR-069 | TR-369 (USP) |
|---|---|---|
| Communication model | Poll / request-response | Bidirectional, event-driven |
| Transport | HTTP / SOAP | WebSocket, MQTT, CoAP |
| Security | Basic TLS | TLS 1.3 + mutual auth + native audit |
| Scalability | Limited (poll cycles dominate) | Designed for tens of thousands of devices |
| Multi-controller | No | Yes |
Migration and deployment best practices
- Pilot small first. One Controller, a few Agents, a representative subset of devices. Learn the failure modes before they hit the full fleet.
- Use mutual TLS with short-lived certificates. This is the single biggest security upgrade over TR-069 in real operations.
- Centralize logs and build audit dashboards. USP gives you the audit trail; you have to give it somewhere to land.
- Define RBAC policies per Controller and per device group. Multi-controller is a feature, but it needs intentional scoping.
- Automate Agent deployment via containers or orchestration tooling. Manual Agent installs at scale don’t survive contact with reality.
Don’t expose Controllers or Agents directly to the public internet without layered protections — WAF, VPN, or network ACLs. The USP security model is strong but it assumes you don’t deliberately undermine it.
The future: automation and AI-friendly telemetry
USP’s event model and object granularity make it the right substrate for automated remediation and ML-driven analytics. Controllers can subscribe to fine-grained signals — Wi-Fi channel quality, CPU pressure, link flap counts — and automatically tune channels, reboot misbehaving APs, or reroute traffic on predictive signals. The data is structured, the events are real-time, and the schema is consistent across vendors. That’s the substrate AI-driven network management has been waiting for.
Take the next step
USP is a generational upgrade from TR-069: events instead of polling, modern security, and IoT-scale design. Even without native RouterOS support, agent bridges and MQTT translators let you adopt USP benefits on MikroTik fleets today.
If you’d rather not run your own USP infrastructure, MKController’s NATCloud provides centralized remote access, event collection, and controls that reduce the need for per-device agents or public IPs. For complementary remote-access patterns on MikroTik, see our WireGuard remote management guide and VPS-based management guide.